A man named Ibrahim Balic has identified himself as the person behind a <a href="http://www.electronista.com/articles/13/07/21/warns.developers.that.some.info.may.have.been.stol en/">hack of the Apple Developer Center</a>. Balic <a href="http://techcrunch.com/2013/07/21/apple-confirms-that-the-dev-center-has-potentially-been-breached-by-hackers/">describes</a> himself as a "security researcher," only interested in seeing "how deep" he could go rather than causing any problems. He adds that he reported 13 bugs to Apple, one of which allowed him to gain access to user information.<br /><br />Details of 73 users, all of them Apple workers, were allegedly turned over to the company as an example. Thursday's Dev Center shutdown is said to have taken place just four hours later. Balic states that he wants to clear his name, and that he's worried about potential legal action. <br />
<br />
In all, he claims to have obtained over 100,000 encrypted user details; a YouTube video shows a handful of names in email addresses. Those details, though, will supposedly be deleted.<br />
<br />
<div align="center"><iframe width="560" height="315" src="//www.youtube.com/embed/q000_EOWy80" frameborder="0" allowfullscreen></iframe></div>

DiabloConQueso

Jul 22, 2013 11:36 AM

"...adhering to the regulations and law..."

Whoa, there, buddy... doing pentests without explicit permission from the entity you're testing is most certainly NOT within the bounds of the law. Simply saying "I am operating within the bounds of the law" does not make it so, similar to signs that say, "Stay back 200 feet -- not responsible for broken windshields" not absolving the company of liability and responsibility for broken windshields.

Simply posting a disclaimer does not absolve one of legal responsibility. The laws govern you absolutely, despite exclaiming that they do not.

daqman

Jul 22, 2013 11:50 AM

So, describing yourself as a "Security Researcher" absolves you of any responsibility or expectation that you will apply common sense? Sure he found problems but he did it in a way that disrupted a lot of people, wasted time and money and was not authorised by Apple or anyone else.

How about we have a "murder researcher", just seeing how deep he can push the knife before someone croaks?

coffeetime

Jul 22, 2013 01:14 PM

How about someone did a home invasion on his property just to see how deep it can harm? Just making sure you put a sign up saying "I did it and not responsible for any damage". Typical hacker's ego that takes over their moral sense.

Makosuke

Jul 22, 2013 04:34 PM

Assuming the guy is genuinely white-hat and is being entirely truthful about what he did (a lot of places have been reporting an unusual number of attempted password resets on accounts used on dev center, but that could theoretically be coincidence), then that in no way makes it legal, but this isn't out of line with how security researchers usually operate. And in any case--again, assuming it's true--Apple should be thankful that somebody non-malicious found the holes for them. It might explain why they didn't immediately say something.

Apple's response, however, was correct, in any case--you might chose not to pursue a legal attack against a hacker if you decide that they were white-hat and helping you find and fix a hole, but it is still the right thing to do to treat it as a regular breach in which user data may have been compromised.

He said he only sent data on Apple employees to them, which might explain why they said they didn't know if user data had been accessed or not, but it could have been.

Sebastien

Jul 22, 2013 05:57 PM

Quote, Originally Posted by DiabloConQueso
(Post 4239720)

"...adhering to the regulations and law..."

Whoa, there, buddy... doing pentests without explicit permission from the entity you're testing is most certainly NOT within the bounds of the law. Simply saying "I am operating within the bounds of the law" does not make it so, similar to signs that say, "Stay back 200 feet -- not responsible for broken windshields" not absolving the company of liability and responsibility for broken windshields.

Simply posting a disclaimer does not absolve one of legal responsibility. The laws govern you absolutely, despite exclaiming that they do not.

Agreed - he sounds like the Gizmodo guy trying to 'pretend' he didn't know the phone he "bought" was a iPhone 4 prototype and that he didn't "ransom" it to Apple. Totally blameless!

Sebastien

Jul 22, 2013 05:59 PM

Quote, Originally Posted by Makosuke
(Post 4239772)

Assuming the guy is genuinely white-hat and is being entirely truthful about what he did (a lot of places have been reporting an unusual number of attempted password resets on accounts used on dev center, but that could theoretically be coincidence), then that in no way makes it legal, but this isn't out of line with how security researchers usually operate.

Real researchers do it in a 'closed' environment: against their own servers running the same software, or on their own user accounts with the cooperation of the entity they're testing against.